Page MenuHomePhabricator

Have a check to prevent non-existent accounts from being added to LDAP groups
Open, HighPublic

Description

To prevent T199557#4490609 from ever happening again, there should be a check that ensures the account exists, before actually adding them to the LDAP group.

Setting priority to high since this has a security impact.

Event Timeline

Legoktm triaged this task as High priority.Aug 12 2018, 8:03 AM
Legoktm created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 12 2018, 8:03 AM

I'll add this to the existing account consistency check.

Legoktm added a subscriber: Dzahn.Sep 8 2018, 1:07 AM

@MoritzMuehlenhoff I think this needs to be something integrated into whatever tool is being used to add people to LDAP rather than something after the fact. It happened again today: https://tools.wmflabs.org/sal/log/AWW1Q3TLwY2u4JUTIzpe

Dzahn added a comment.Sep 8 2018, 2:13 AM

This lasted mere seconds. Shouldn't have logged it before confirming.

Bump, this happened again: {T224110}.

If someone could document what script is being used to do this, I can look into writing a patch.

Dzahn added a comment.Jul 9 2019, 11:57 PM

Bump, this happened again: {T224110}.

If someone could document what script is being used to do this, I can look into writing a patch.

I use " modify-ldap-group" to make changes to LDAP groups. But then there is also "ldapvi" which others might be using. It's possible that modify-ldap-group does more checks than ldapvi which is more "raw" editing.

RobH removed a subscriber: RobH.Mar 3 2020, 6:00 PM